Expand test suite to cover RSA as well as ed25519

tests: test DKIM signing and verification
This test makes use of DNSOverride and the new verifying milter to ensure that signatures can be verified properly. It doesn't test the actual interaction with the public DNS, but getting that kind of test to work on arbitrary platforms might be more trouble than it's worth. I note that the DNSOverride only works as long as testkey.dns is a single line, which is fine for ed25519, but maybe not for RSA.
2019-02-21 19:21:38 -05:00 · 2019-02-21 19:21:38 -05:00 · 2019-02-21 19:21:38 -05:00 · 2019-02-21 19:21:38 -05:00 · 2019-02-21 19:21:38 -05:00 · 2019-02-21 19:21:38 -05:00
18 changed files with 963 additions and 390 deletions
@@ -1,3 +1,4 @@
 dist
 dkimpy_milter.egg-info
 *.pyc
+*~
@@ -1,3 +1,51 @@
+1.0.1 2019-02-11
+ * Reorder milter start and dropping privileges so permissions on Unix socket
+   are correct (LP: 1797720)
+ - Make domain checks case insensitive for determining if signing should be
+   done (LP: #1815311)
+ - Add additional Sendmail configuration information to README from OpenDKIM
+   update based on input from Дилян Палаузов (LP: #1801619)
+ - Add information on Ed25519 key creation to README (LP: #1815313)
+
+1.0.0 2018-05-11
+ - Minor documentation updates
+ - Deleted reference to obsolete syslog target in unit file
+
+0.9.7 2018-03-19
+ - Made sysv init executable
+ - Add missing documentation key to system/dkimpy-milter.service
+ - Put version directly in setup.py and do not import dkimpy_milter to ease
+   install via pip
+ - Minor sysv init improvments
+
+0.9.6 2018-03-13
+ - Fixed typo in package installation section of README
+ - Added more to README about first run with systemd
+ - Fixed typo in path for fallback location of the config file if one is not
+   provided
+ - Added protection for malformed From addresses.  If the From does not at
+   least have an '@' in the address, then the signing domain is not extracted
+   and the message will not be signed
+
+0.9.5.1 2018-03-10
+ - Add conf file location to systemd unit file
+ - Fix setup.py install locations so they are installed correctly
+
+0.9.5 2018-03-10
+ - Beta 1 (updated Alpha -> Beta warning in README and trove classifiers)
+ - Added support for MacroList option
+ - Added support for MacroListVerify option
+ - Added example in README to show use of MacroList* to separate inbound and
+   outbound mail streams
+ - Added support for SyslogSuccess option (both signing and verifying)
+ - Rationalized logging to be much less verbose unless SyslogSuccess or
+   debugLevel are set - default is generally start/stop/errors only
+ - Fixed install_requires so either dnspython (preferred if neither is
+   installed) or PyDNS satisfies the install requirements
+ - Updated Authentication Results result comment not to mention key size for
+   ed25519 signatures, since it's irrelevant
+ - Enhanced signature verification logging to provide more useful information
+
 0.9.4 2018-03-09
 - Create PID directory if it is missing
 - Fix crash when verifying if domain for signing was not set
@@ -1,11 +1,17 @@
-This is a DKIM signing and verification milter.  In theory it works with both
-Postfix and Sendmail, but the author has zero experience with Sendmail, so
-reports of success/failure with Sendmail and patches are welcom.
+OVERVIEW
+========
+
+This is a DKIM signing and verification milter.  It has been tested with both
+Postfix and Sendmail.

 The configuration file is designed to be compatible with OpenDKIM, but only
 a subset of OpenDKIM options are supported.  If an unsupported option is
 specified, an error will be raised.

+
+INSTALLATION
+===========
+
 This package includes a default configuration file and man pages.  For those
 to be installed when installing using setup.py, the following incantation is
 required because setuptools developers decided not being able to do this by
@@ -13,11 +19,11 @@ default is a feature:

 python setup.py install --single-version-externally-managed --record=/dev/null

-For users of Debian Stable (Debian 9, Codename Squueze), all dependencies are
+For users of Debian Stable (Debian 9, Codename Squeeze), all dependencies are
 available in either the main or backports repositories:

-[sudo] apt install python-milter python-nacl pthon-ipaddress python-dnspython
-[sudo] apt install -t squeeze-backports python-authres python-dkim
+[sudo] apt install python-milter python-nacl python-ipaddress python-dnspython
+[sudo] apt install -t stretch-backports python-authres python-dkim

 The preferred method of installation is from PyPi using pip (if distribution
 packages are not available):
@@ -25,12 +31,57 @@ packages are not available):
 [sudo] pip install dkimpy_milter

 Using pip will cause required packages to be installed via easy_install if they
-have not been previously installed.
+have not been previously installed.  Because pymilter and PyNaCl are compiled
+Python extensions, the system will need appropriate development packages and
+an C compiler.  Alternately, install these dependencies from dsitribution/OS
+packages and then pip install dkimpy_milter.

 The milter will work with either pydns (DNS) or dnspython (dns), preferring
 dnspython is both are available.  The dkimpy DKIM module also works with
 either.

+
+SETUP
+====
+
+SIGNING KEYS
+============
+
+In order to create DKIM signatures, a private key must be available.  Signing
+keys should be protected (owned by root:root with permissions 600 in a
+directory that is not world readable).  Different keys are required for RSA
+and (if used) Ed25519.
+
+RSA
+===
+
+Both public and private keys for RSA have standard formats and there are many
+tools available to create them.  Keys must (RFC 8302) have a minimum size of
+1024 bits and should have a size of at least 2048 bits.  The dknewkey script
+that is provided with dkimpy is one such tool:
+
+dknewkey exampleprivkey
+
+will produce both the private key file (.key suffix) and a file with the DKIM
+public key record to be published DNS (.dns suffix).  RSA is the default key
+type.  2048 bits is the default key size.
+
+ED25519
+=======
+
+There is no standardized non-binary representation for Ed25519 private keys,
+so in order to generate Ed25519 keys for dkimpy-milter, dkimpy specific tools
+must be used to be compatible.  The same dknewkey script support Ed25519:
+
+dknewkey --ktype ed25519 anothernewkey
+
+will provide both the private key file (.key suffix) and a file with the DKIM
+public key record to be published DNS (.dns suffix).  Ed25519 keys do not have
+variable bit lengths.
+
+MTA INTEGRATION
+==============
+
 Both a systemd unit file and a sysv init file are provided.  Both make
 assumptions about defaults being used, e.g. if a non-standard pidfile name is
 used, they will need to be updated.  The sysv init file is Debian specific and
@@ -48,10 +99,19 @@ As an example, using the default dkimpy-user on Debian, the command would be:
 Since /var/run or /run is sometimes on a tempfs, if the PID file directory is
 missing, the milter will create it on startup.

+To start dkimpy-milter with systemd for the first time, you will need to take
+the following steps:
+
+[sudo] systemctl daemon-reload
+[sudo] systemctl enable dkimpy-milter
+[sudo] systemctl start dkimpy-milter
+[sudo] systemctl status dkimpy-milter (to verify it started correctly)
+
 As with all milters, dkimpy-milter needs to be integrated with your MTA of
 choice (Sendmail or Postfix).

-For Sendmail:
+SENDMAIL
+========

 Configuration is very similar to opendkim, but needs some adjustment for
 dkimpy-milter. Here's an example configuration line to include in your
@@ -67,12 +127,64 @@ Milter support should be present by default in most versions of sendmail
 these days, but if not included in your Sendmail build, see:
 http://www.elandsys.com/resources/sendmail/milter.html

-For Postfix:
+ISSUES USING SENDMAIL TO SIGN AND VERIFY
+========================================
+
+When using the sendmail MTA in both signing and verifying mode, there are
+a few issues of which to be aware that might cause operational problems
+and deserve consideration.
+
+(a) When the MTA will be used for relaying emails, e.g. delivering to other
+    hosts using the aliases mechanism, it is important not to break
+    signatures inserted by the original sender.  This is particularly sensitive
+    particular when the sending domain has published a "reject" DMARC policy.
+
+    By default, sendmail quotes to address header fields when there are no
+    quotes and the display part of the address contains a period or an
+    apostrophe.  However, opendkim only sees the raw, unmodified form of
+    the header field, and so the content that gets verified and what gets
+    signed will not be the same, guaranteeing the attached signature is not
+    valid.
+
+    To direct sendmail not to modify the headers, add this to your sendmail.mc:
+
+    	conf(`confMUST_QUOTE_CHARS', `')
+
+(b) As stated in sendmail's KNOWNBUGS file, sendmail truncates header field
+    values longer than 256 characters, which could mean truncating the domain
+    of a long From: header field value and invalidating the signature.
+    You may wish to consider increasing MAXNAME in sendmail/conf.h to mitigate
+    changing the messages and invalidating their signatures.  This change
+    requires recompiling sendmail.
+
+(c) Similar to (a) above, sendmail may wrap very long single-line recipient
+    fields for presentation purposes; for example:
+
+    To: very long name <a@example.org>,anotherloo...ong name b <b@example.org>
+
+    ...might be rewritten as:
+
+    To: very long name <a@example.org>,
+    	anotherloo...ong name b <b@example.org>
+
+    This rewrite is also done after opendkim has seen the message, meaning
+    the signature opendkim attaches to the message does not match the
+    content it signed.  There is not a known configuration change to
+    mitigate this mutation.
+
+    The only known mechanism for dealing with this is to have distinct
+    instances of opendkim do the verifying (inbound) and signing (outbound)
+    so that the version that arrives at the signing instance is already
+    in the rewritten form, guaranteeing the input and output are the same
+    and thus the signature matches the payload.
+
+POSTFIX
+=======

 Integration of dkimpy-milter into Postfix is like any milter (See Postfix's
-README_FILES/MILTER_README).  Here's an example master.cf excerpt the talks to
-two dkimpy-milter instances, one configured for signing and one configured for
-verification:
+README_FILES/MILTER_README).  Here's an example master.cf excerpt that talks
+to two dkimpy-milter instances, one configured for signing and one configured
+for verification:

 smtp       inet  n       -       -       -      -       smtpd
    ...
@@ -86,10 +198,46 @@ submission inet  n       -       -       -      -       smtpd

 These need to match the Socket value for each dkimpy-milter instance.

-The python DKIM library, dkimpy, requires the entire message being signed or
-verified to be in memory, so dkimpy-milter does not write messages out to a temp
-file.  This may impact performance on low-memory systems.
+Care is required to segregate outbound mail to be signed and inbound mail to
+be verified.  The above example uses two instances of dkimpy-milter to do
+this.  There are many possible ways.  Here is another example using milter
+macros to keep the mail streams segregated:

-WARNING: This is an alpha grade release to support interoperability testing with
-Ed25519 signatures and basic functionality.  It is known to be incomplete and
-not suitable for general use.
+Postfix master.cf:
+
+smtp       inet  n       -       -       -       -       smtpd
+    ...
+    -o smtpd_milters=inet:localhost:8891
+    -o milter_macro_daemon_name=VERIFYING
+    ...
+
+submission inet n       -       -       -       -       smtpd
+    -o syslog_name=postfix/submission
+    -o smtpd_tls_security_level=encrypt
+    -o smtpd_sasl_auth_enable=yes
+    ...
+    -o milter_macro_daemon_name=ORIGINATING
+    -o smtpd_milters=inet:localhost:8891
+    ...
+
+Dkimpy-milter.conf:
+
+...
+Mode			sv
+MacroList		dameon_name|ORIGINATING
+MacroListVerify		daemon_name|VERIFYING
+...
+
+
+NOTES
+=====
+
+The python DKIM library, dkimpy, requires the entire message being signed or
+verified to be in memory, so dkimpy-milter does not write messages out to a
+temp file.  This may impact performance on low-memory systems.
+
+DKIM with Ed25519 signatures are described in RFC 8463.  Version 1.0.0 and
+later support Ed25519 signing and verification.  RFC 8301 removed rsa-sha1
+from DKIM.  dkimpy-milter does not sign with rsa-sha1, but still considers
+rsa-sha1 signatures as valid for verification because they are still in
+common use and are not known to be cryptographically broken.
@@ -34,16 +34,21 @@ DiagnosticDirectory     implemented     verified
 InternalHosts   implemented     verified

 0.9.5 (Beta)
-
-
-SyslogSuccess
+MacroList	implemented	verified
+MacroListVerify	implemented	verified
+SyslogSuccess   implemented     verified

 1.0.0
-Convert dkim-milter-python config
-No additional features planned
+No additional features

-Plannedataset type support:
-db:/.db
+1.0.1
+Bug fix only, improved documentation
+
+1.1.0 (planned)
+Port to Python 3
+Subdomain support
+
+Planned dataset type support (if needed):
 mdb:

 Considered for near-term feature release
@@ -51,10 +56,10 @@ Considered for near-term feature release
 AlwaysAddARHeader
 ChangeRootDirectory
 ClockDrift (requires dkimpy change)
-DNSTimeout (requires dkmpy change)
-MacroList
+DNSTimeout (requires dkimpy change)
 MilterDebug
 MinimumKeyBits
+OversignHeaders (may require dkimpy changes)
 PeerList
 SignatureAlgorithm

@@ -85,7 +90,6 @@ On-InternalError
 On-KeyNotFound
 On-NoSignature
 On-SignatureError
-OversignHeaders
 RemoveARAll
 RemoveARFrom
 RemoveOldSignatures 
@@ -25,15 +25,12 @@ import sys
 import syslog
 import Milter
 import dkim
-from dkim.dnsplug import get_txt
-from dkim.util import parse_tag_value
 import authres
 import os
 import tempfile
 import StringIO
 import re
-from Milter.config import MilterConfigParser
-from Milter.utils import iniplist,parse_addr,parseaddr
+from Milter.utils import parse_addr, parseaddr
 import dkimpy_milter.config as config
 from dkimpy_milter.util import drop_privileges
 from dkimpy_milter.util import setExceptHook
@@ -42,230 +39,293 @@ from dkimpy_milter.util import read_keyfile
 from dkimpy_milter.util import own_socketfile
 from dkimpy_milter.util import fold

-__version__ = "0.9.4"
+__version__ = "1.0.1"
 FWS = re.compile(r'\r?\n[ \t]+')
-  
+
+
 class dkimMilter(Milter.Base):
-  "Milter to check and sign DKIM.  Each connection gets its own instance."
+    "Milter to check and sign DKIM.  Each connection gets its own instance."

-  def __init__(self):
-    self.mailfrom = None
-    self.id = Milter.uniqueID()
-    # we don't want config used to change during a connection
-    self.conf = milterconfig
-    self.privatersa = privateRSA
-    self.privateed25519 = privateEd25519
-    self.fp = None
+    def __init__(self):
+        self.mailfrom = None
+        self.id = Milter.uniqueID()
+        # we don't want config used to change during a connection
+        self.conf = milterconfig
+        self.privatersa = privateRSA
+        self.privateed25519 = privateEd25519
+        self.fp = None

-  @Milter.noreply
-  def connect(self,hostname,unused,hostaddr):
-    self.internal_connection = False
-    self.hello_name = None
-    # sometimes people put extra space in sendmail config, so we strip
-    self.receiver = self.getsymval('j').strip()
-    try:
-        self.AuthservID = milterconfig['AuthservID']
-    except:
-        self.AuthservID = self.receiver
-    if hostaddr and len(hostaddr) > 0:
-        ipaddr = hostaddr[0]
-        if milterconfig['InternalHostsObj']:
-            if milterconfig['InternalHostsObj'].match(ipaddr):
-                self.internal_connection = True
-    else: ipaddr = ''
-    self.connectip = ipaddr
-    if self.internal_connection:
-        connecttype = 'INTERNAL'
-    else:
-        connecttype = 'EXTERNAL'
-    if milterconfig.get('Syslog'):
-        syslog.syslog("connect from {0} at {1} {2}".format(hostname,hostaddr,connecttype))
-    return Milter.CONTINUE
+    @Milter.noreply
+    def connect(self, hostname, unused, hostaddr):
+        self.internal_connection = False
+        self.external_connection = False
+        self.hello_name = None
+        # sometimes people put extra space in sendmail config, so we strip
+        self.receiver = self.getsymval('j')
+        if self.receiver is not None:
+            self.receiver = self.receiver.strip()
+        try:
+            self.AuthservID = milterconfig['AuthservID']
+        except:
+            self.AuthservID = self.receiver
+        if hostaddr and len(hostaddr) > 0:
+            ipaddr = hostaddr[0]
+            if milterconfig['IntHosts']:
+                if milterconfig['IntHosts'].match(ipaddr):
+                    self.internal_connection = True
+        else:
+            ipaddr = ''
+        self.connectip = ipaddr
+        if milterconfig.get('MacroList') and not self.internal_connection:
+            macrolist = milterconfig.get('MacroList')
+            for macro in macrolist:
+                macroname = macro.split('|')[0]
+                macroname = '{' + macroname + '}'
+                macroresult = self.getsymval(macroname)
+                if ((len(macro.split('|')) == 1 and macroresult) or macroresult
+                        in macro.split('|')[1:]):
+                    self.internal_connection = True
+        if milterconfig.get('MacroListVerify'):
+            macrolist = milterconfig.get('MacroListVerify')
+            for macro in macrolist:
+                macroname = macro.split('|')[0]
+                macroname = '{' + macroname + '}'
+                macroresult = self.getsymval(macroname)
+                if ((len(macro.split('|')) == 1 and macroresult) or macroresult
+                        in macro.split('|')[1:]):
+                    self.external_connection = True
+        if self.internal_connection:
+            connecttype = 'INTERNAL'
+        else:
+            connecttype = 'EXTERNAL'
+        if milterconfig.get('Syslog') and milterconfig.get('debugLevel') >= 1:
+            syslog.syslog("connect from {0} at {1} {2}"
+                          .format(hostname, hostaddr, connecttype))
+        return Milter.CONTINUE

-  # multiple messages can be received on a single connection
-  # envfrom (MAIL FROM in the SMTP protocol) seems to mark the start
-  # of each message.
-  @Milter.noreply
-  def envfrom(self,f,*str):
-    if milterconfig.get('Syslog'):  
-        syslog.syslog("mail from: {0} {1}".format(f,str))
-    self.fp = StringIO.StringIO()
-    self.mailfrom = f
-    t = parse_addr(f)
-    if len(t) == 2: t[1] = t[1].lower()
-    self.canon_from = '@'.join(t)
-    self.user = self.getsymval('{auth_authen}')
-    self.has_dkim = 0
-    self.author = None
-    self.arheaders = []
-    self.arresults = []
-    '''if self.user:
-      # Very simple SMTP AUTH policy by default:
-      #   any successful authentication is considered INTERNAL
-      self.internal_connection = True
-      auth_type = self.getsymval('{auth_type}')
-      ssl_bits =  self.getsymval('{cipher_bits}')
-      if milterconfig.get('Syslog'):
-          syslog.syslog(
-              "SMTP AUTH:",self.user,"sslbits =",ssl_bits, auth_type,
-              "ssf =",self.getsymval('{auth_ssf}'), "INTERNAL"
-      )
-      # Detailed authorization policy is configured in the access file below.
-      self.arresults.append(
-        authres.SMTPAUTHAuthenticationResult(result = 'pass',
-      	result_comment = auth_type+' sslbits='+ssl_bits, smtp_auth = self.user)
-      )'''
-    return Milter.CONTINUE
+    # multiple messages can be received on a single connection
+    # envfrom (MAIL FROM in the SMTP protocol) seems to mark the start
+    # of each message.
+    @Milter.noreply
+    def envfrom(self, f, *str):
+        if milterconfig.get('Syslog') and milterconfig.get('debugLevel') >= 2:
+            syslog.syslog("mail from: {0} {1}".format(f, str))
+        self.fp = StringIO.StringIO()
+        self.mailfrom = f
+        t = parse_addr(f)
+        if len(t) == 2:
+            t[1] = t[1].lower()
+        self.canon_from = '@'.join(t)
+        self.has_dkim = 0
+        self.author = None
+        self.arheaders = []
+        self.arresults = []
+        return Milter.CONTINUE

-  @Milter.noreply
-  def header(self,name,val):
-    lname = name.lower()
-    if lname == 'dkim-signature':
-        if milterconfig.get('Syslog'):
-          syslog.syslog("{0}: {1}".format(name,val))
-        self.has_dkim += 1
-    if lname == 'from':
-        fname,self.author = parseaddr(val)
-        self.fdomain = self.author.split('@')[1]
-        if milterconfig.get('Syslog'):
-            syslog.syslog("{0}: {1}".format(name,val))
-    elif lname == 'authentication-results':
-        self.arheaders.append(val)
-    if self.fp:
-        self.fp.write("%s: %s\n" % (name,val))
-    return Milter.CONTINUE
+    @Milter.noreply
+    def header(self, name, val):
+        lname = name.lower()
+        if lname == 'dkim-signature':
+            if (milterconfig.get('Syslog') and
+                    milterconfig.get('debugLevel') >= 1):
+                syslog.syslog("{0}: {1}".format(name, val))
+            self.has_dkim += 1
+        if lname == 'from':
+            fname, self.author = parseaddr(val)
+            try:
+                self.fdomain = self.author.split('@')[1].lower()
+            except IndexError as er:
+                self.fdomain = ''  # self.author was not a proper email address
+            if (milterconfig.get('Syslog') and
+                    milterconfig.get('debugLevel') >= 1):
+                syslog.syslog("{0}: {1}".format(name, val))
+        elif lname == 'authentication-results':
+            self.arheaders.append(val)
+        if self.fp:
+            self.fp.write("%s: %s\n" % (name, val))
+        return Milter.CONTINUE

-  @Milter.noreply
-  def eoh(self):
-    if self.fp:
-      self.fp.write("\n")                         # terminate headers
-    self.bodysize = 0
-    return Milter.CONTINUE
+    @Milter.noreply
+    def eoh(self):
+        if self.fp:
+            self.fp.write("\n")   # terminate headers
+        self.bodysize = 0
+        return Milter.CONTINUE

-  @Milter.noreply
-  def body(self,chunk):         # copy body to temp file
-    if self.fp:
-      self.fp.write(chunk)      # IOError causes TEMPFAIL in milter
-      self.bodysize += len(chunk)
-    return Milter.CONTINUE
+    @Milter.noreply
+    def body(self, chunk):        # copy body to temp file
+        if self.fp:
+            self.fp.write(chunk)  # IOError causes TEMPFAIL in milter
+            self.bodysize += len(chunk)
+        return Milter.CONTINUE

-  def eom(self):
-    if not self.fp:
-      return Milter.ACCEPT      # no message collected - so no eom processing
-    # Remove existing Authentication-Results headers for our authserv_id
-    for i,val in enumerate(self.arheaders,1):
-      # FIXME: don't delete A-R headers from trusted MTAs
-      try:
-          ar = authres.AuthenticationResultsHeader.parse_value(FWS.sub('',val))
-          if ar.authserv_id == self.AuthservID:
-              self.chgheader('authentication-results',i,'')
-              if milterconfig.get('Syslog'):
-                  syslog.syslog('REMOVE: {0}'.format(val))
-      except:
-          # Don't error out on unparseable AR header fiels
-          pass
-    # Check or sign DKIM
-    self.fp.seek(0)
-    if milterconfig.get('Domain'):
-        domain = milterconfig.get('Domain')
-    else:
-        domain = ''
-    if (self.fdomain in domain) and (not milterconfig.get('Mode') == 'v'):
-      txt = self.fp.read()
-      self.sign_dkim(txt)
-      result = None
-    if (self.has_dkim) and (not self.internal_connection) and (milterconfig.get('Mode') == 'v' or milterconfig.get('Mode') == 'sv'):
-      txt = self.fp.read()
-      self.check_dkim(txt)
-    else:
-      result = 'none'
-    if self.arresults:
-        h = authres.AuthenticationResultsHeader(authserv_id = self.AuthservID, 
-            results=self.arresults)
-        h = fold(str(h))
-        if milterconfig.get('Syslog'):
-            syslog.syslog(str(h))
-        name,val = str(h).split(': ',1)
-        self.addheader(name,val,0)
-    return Milter.CONTINUE
+    def eom(self):
+        if not self.fp:
+            return Milter.ACCEPT  # no message collected - so no eom processing
+        # Remove existing Authentication-Results headers for our authserv_id
+        for i, val in enumerate(self.arheaders, 1):
+            # FIXME: don't delete A-R headers from trusted MTAs
+            try:
+                ar = (authres.AuthenticationResultsHeader
+                      .parse_value(FWS.sub('', val)))
+                if ar.authserv_id == self.AuthservID:
+                    self.chgheader('authentication-results', i, '')
+                    if (milterconfig.get('Syslog') and
+                            milterconfig.get('debugLevel') >= 1):
+                        syslog.syslog('REMOVE: {0}'.format(val))
+            except:
+                # Don't error out on unparseable AR header fiels
+                pass
+        # Check or sign DKIM
+        self.fp.seek(0)
+        if milterconfig.get('Domain'):
+            domain = milterconfig.get('Domain')
+        else:
+            domain = ''
+        if ((self.fdomain in domain) and not milterconfig.get('Mode') == 'v'
+                and not self.external_connection):
+            txt = self.fp.read()
+            self.sign_dkim(txt)
+        if ((self.has_dkim) and (not self.internal_connection) and
+            (milterconfig.get('Mode') == 'v' or
+             milterconfig.get('Mode') == 'sv')):
+            txt = self.fp.read()
+            self.check_dkim(txt)
+        if self.arresults:
+            h = authres.AuthenticationResultsHeader(authserv_id=
+                                                    self.AuthservID,
+                                                    results=self.arresults)
+            h = fold(str(h))
+            if (milterconfig.get('Syslog') and
+                    milterconfig.get('debugLevel') >= 2):
+                syslog.syslog(str(h))
+            name, val = str(h).split(': ', 1)
+            self.addheader(name, val, 0)
+        return Milter.CONTINUE

-  def sign_dkim(self,txt):
-      canon = milterconfig.get('Canonicalization')
-      canonicalize = []
-      if len(canon.split('/')) == 2:
-          canonicalize.append(canon.split('/')[0])
-          canonicalize.append(canon.split('/')[1])
-      else:
-          canonicalize.append(canon)
-          canonicalize.append(canon)
-      syslog.syslog('canonicalize: {0}'.format(canonicalize))
-      try:
-        if privateRSA:
-            d = dkim.DKIM(txt)
-            h = d.sign(milterconfig.get('Selector'), self.fdomain, privateRSA,
-                    canonicalize=(canonicalize[0], canonicalize[1]))
-            name,val = h.split(': ',1)
-            self.addheader(name,val.strip().replace('\r\n','\n'),0)
-        if privateEd25519:
-            d = dkim.DKIM(txt)
-            h = d.sign(milterconfig.get('SelectorEd25519'), self.fdomain, privateEd25519,
-                    canonicalize=(canonicalize[0], canonicalize[1]), signature_algorithm='ed25519-sha256')
-            name,val = h.split(': ',1)
-            self.addheader(name,val.strip().replace('\r\n','\n'),0)
-      except dkim.DKIMException as x:
-          if milterconfig.get('Syslog'):
-              syslog.syslog('DKIM: {0}'.format(x))
-      except Exception as x:
-          if milterconfig.get('Syslog'):
-              syslog.syslog("sign_dkim: {0}".format(x))
-          raise
-      
-  def check_dkim(self,txt):
-      res = False
-      conf = self.conf
-      for y in range(self.has_dkim): # Verify _ALL_ the signatures
-          d = dkim.DKIM(txt)
-          try:
-            res = d.verify(idx=y)
-            if res:
-              self.dkim_comment = 'Good {0} bit {1} signature.'.format(d.keysize, d.signature_fields.get(b'a'))
-            else:
-              self.dkim_comment = 'Bad {0} bit {1} signature.'.format(d.keysize, d.signature_fields.get(b'a'))
-          except dkim.DKIMException as x:
-            self.dkim_comment = str(x)
+    def sign_dkim(self, txt):
+        canon = milterconfig.get('Canonicalization')
+        canonicalize = []
+        if len(canon.split('/')) == 2:
+            canonicalize.append(canon.split('/')[0])
+            canonicalize.append(canon.split('/')[1])
+        else:
+            canonicalize.append(canon)
+            canonicalize.append(canon)
+            if (milterconfig.get('Syslog') and
+                    milterconfig.get('debugLevel') >= 1):
+                syslog.syslog('canonicalize: {0}'.format(canonicalize))
+        try:
+            if privateRSA:
+                d = dkim.DKIM(txt)
+                h = d.sign(milterconfig.get('Selector'), self.fdomain,
+                           privateRSA, canonicalize=(canonicalize[0],
+                                                     canonicalize[1]))
+                name, val = h.split(': ', 1)
+                self.addheader(name, val.strip().replace('\r\n', '\n'), 0)
+                if (milterconfig.get('Syslog') and
+                    (milterconfig.get('SyslogSuccess')
+                     or milterconfig.get('debugLevel') >= 1)):
+                    syslog.syslog('{0}: {1} DKIM-Signature field added (s={2} '
+                                  'd={3})'.format(self.getsymval('i'),
+                                                  d.signature_fields.get(b'a'),
+                                                  d.signature_fields.get(b's'),
+                                                  d.domain.lower()))
+            if privateEd25519:
+                d = dkim.DKIM(txt)
+                h = d.sign(milterconfig.get('SelectorEd25519'), self.fdomain,
+                           privateEd25519, canonicalize=(canonicalize[0],
+                                                         canonicalize[1]),
+                           signature_algorithm='ed25519-sha256')
+                name, val = h.split(': ', 1)
+                self.addheader(name, val.strip().replace('\r\n', '\n'), 0)
+                if (milterconfig.get('Syslog') and
+                    (milterconfig.get('SyslogSuccess')
+                     or milterconfig.get('debugLevel') >= 1)):
+                    syslog.syslog('{0}: {1} DKIM-Signature field added (s={2} '
+                                  'd={3})'.format(self.getsymval('i'),
+                                                  d.signature_fields.get(b'a'),
+                                                  d.signature_fields.get(b's'),
+                                                  d.domain.lower()))
+        except dkim.DKIMException as x:
            if milterconfig.get('Syslog'):
                syslog.syslog('DKIM: {0}'.format(x))
-          except Exception as x:
-            self.dkim_comment = str(x)
+        except Exception as x:
            if milterconfig.get('Syslog'):
-                syslog.syslog("check_dkim: {0}".format(x))
-          self.header_i = d.signature_fields.get(b'i')
-          self.header_d = d.signature_fields.get(b'd')
-          self.header_a = d.signature_fields.get(b'a')
-          if res:
-              if milterconfig.get('Syslog'):
-                  syslog.syslog('DKIM: Pass ({0})'.format(d.domain))
-              self.dkim_domain = d.domain
-          else:
-              if milterconfig.get['DiagnosticDirectory']:
-                  fd,fname = tempfile.mkstemp(".dkim")
-                  with os.fdopen(fd,"w+b") as fp:
-                      fp.write(txt)
-                  if milterconfig.get('Syslog'):
-                      syslog.syslog('DKIM: Fail (saved as {0})'.format(fname))
-              else:
-                  syslog.syslog('DKIM: Fail ({0})'.format(d.domain))
-          if res:
-            result = 'pass'
-          else:
-            result = 'fail'
-          res = False
-          self.arresults.append(
-            authres.DKIMAuthenticationResult(result=result,
-              header_i = self.header_i, header_d = self.header_d, header_a = self.header_a,
-              result_comment = self.dkim_comment)
-          )
-      return
+                syslog.syslog("sign_dkim: {0}".format(x))
+            raise
+
+    def check_dkim(self, txt):
+        res = False
+        for y in range(self.has_dkim):  # Verify _ALL_ the signatures
+            d = dkim.DKIM(txt)
+            try:
+                dnsoverride = milterconfig.get('DNSOverride')
+                if isinstance(dnsoverride, str):
+                    syslog.syslog("DNSOverride: {0}".format(dnsoverride))
+                    res = d.verify(idx=y, dnsfunc=lambda _x: dnsoverride)
+                else:
+                    res = d.verify(idx=y)
+                if res:
+                    if d.signature_fields.get(b'a') == 'ed25519-sha256':
+                        self.dkim_comment = ('Good {0} signature'
+                                             .format(d.signature_fields
+                                                     .get(b'a')))
+                    else:
+                        self.dkim_comment = ('Good {0} bit {1} signature'
+                                             .format(d.keysize,
+                                                     d.signature_fields
+                                                     .get(b'a')))
+                else:
+                    self.dkim_comment = ('Bad {0} bit {1} signature.'
+                                         .format(d.keysize,
+                                                 d.signature_fields.get(b'a')))
+            except dkim.DKIMException as x:
+                self.dkim_comment = str(x)
+                if milterconfig.get('Syslog'):
+                    syslog.syslog('DKIM: {0}'.format(x))
+            except Exception as x:
+                self.dkim_comment = str(x)
+                if milterconfig.get('Syslog'):
+                    syslog.syslog("check_dkim: {0}".format(x))
+            self.header_i = d.signature_fields.get(b'i')
+            self.header_d = d.signature_fields.get(b'd')
+            self.header_a = d.signature_fields.get(b'a')
+            if res:
+                if (milterconfig.get('Syslog') and
+                        (milterconfig.get('SyslogSuccess') or
+                         milterconfig.get('debugLevel') >= 1)):
+                    syslog.syslog('{0}: {1} DKIM signature verified (s={2} '
+                                  'd={3})'.format(self.getsymval('i'),
+                                                  d.signature_fields.get(b'a'),
+                                                  d.signature_fields.get(b's'),
+                                                  d.domain.lower()))
+                self.dkim_domain = d.domain.lower()
+            else:
+                if milterconfig.get('DiagnosticDirectory'):
+                    fd, fname = tempfile.mkstemp(".dkim")
+                    with os.fdopen(fd, "w+b") as fp:
+                        fp.write(txt)
+                    if milterconfig.get('Syslog'):
+                        syslog.syslog('DKIM: Fail (saved as {0})'
+                                      .format(fname))
+                else:
+                    syslog.syslog('DKIM: Fail ({0})'.format(d.domain.lower()))
+            if res:
+                result = 'pass'
+            else:
+                result = 'fail'
+            res = False
+            self.arresults.append(
+                authres.DKIMAuthenticationResult(result=result,
+                                                 header_i=self.header_i,
+                                                 header_d=self.header_d,
+                                                 header_a=self.header_a,
+                                                 result_comment=
+                                                 self.dkim_comment)
+            )
+        return
+

 def main():
    # Ugh, but there's no easy way around this.
@@ -274,15 +334,16 @@ def main():
    global privateEd25519
    privateRSA = False
    privateEd25519 = False
-    configFile = '/etc/dkimpy-milter.conf'
+    configFile = '/usr/local/etc/dkimpy-milter.conf'
    if len(sys.argv) > 1:
-        if sys.argv[1] in ( '-?', '--help', '-h' ):
+        if sys.argv[1] in ('-?', '--help', '-h'):
            print('usage: dkimpy-milter [<configfilename>]')
            sys.exit(1)
        configFile = sys.argv[1]
-    milterconfig = config._processConfigFile(filename = configFile)
+    milterconfig = config._processConfigFile(filename=configFile)
    if milterconfig.get('Syslog'):
-        facility = eval("syslog.LOG_{0}".format(milterconfig.get('SyslogFacility').upper()))
+        facility = eval("syslog.LOG_{0}"
+                        .format(milterconfig.get('SyslogFacility').upper()))
        syslog.openlog(os.path.basename(sys.argv[0]), syslog.LOG_PID, facility)
        setExceptHook()
    pid = write_pid(milterconfig)
@@ -294,12 +355,13 @@ def main():
    Milter.set_flags(Milter.CHGHDRS + Milter.ADDHDRS)
    miltername = 'dkimpy-filter'
    socketname = milterconfig.get('Socket')
-    if milterconfig.get('Syslog'):
-        syslog.syslog('dkimpy-milter started:{0} user:{1}'.format(pid,milterconfig.get('UserID')))
-    sys.stdout.flush()
-    Milter.runmilter(miltername,socketname,240)
    own_socketfile(milterconfig)
    drop_privileges(milterconfig)
+    sys.stdout.flush()
+    Milter.runmilter(miltername, socketname, 240)
+    if milterconfig.get('Syslog'):
+        syslog.syslog('dkimpy-milter started:{0} user:{1}'
+                      .format(pid, milterconfig.get('UserID')))

 if __name__ == "__main__":
    main()
@@ -0,0 +1,6 @@
+#!/usr/bin/python2
+
+from dkimpy_milter import main
+
+if __name__ == "__main__":
+    main()
@@ -12,7 +12,7 @@
 #        2.0 license - 100% GPL
 '''
    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License version 2 as published 
+    it under the terms of the GNU General Public License version 2 as published
    by the Free Software Foundation.

    This program is distributed in the hope that it will be useful,
@@ -27,8 +27,6 @@
 import syslog
 import os
 import sys
-import re
-import urllib
 import stat
 import dkim
 import socket
@@ -37,26 +35,29 @@ from dnsplug import Session

 #  default values
 defaultConfigData = {
-        'Syslog' : 'yes',
-        'SyslogFacility' : 'mail',
-        'UMask' : 007,
-        'Mode' : 'sv',
-        'Socket' : 'local:/var/run/dkimpy-milter/dkimpy-milter.sock',
-        'PidFile'  : '/var/run/dkimpy-milter/dkimpy-milter.pid',
-        'UserID' : 'dkimpy-milter',
-        'Canonicalization' : 'relaxed/simple',
-        'InternalHosts' : '127.0.0.1',
-        'InternalHostsObj' : False,
-        'DiagnosticDirectory' : ''
-        }
+    'Syslog': 'yes',
+    'SyslogFacility': 'mail',
+    'UMask': 007,
+    'Mode': 'sv',
+    'Socket': 'local:/var/run/dkimpy-milter/dkimpy-milter.sock',
+    'PidFile': '/var/run/dkimpy-milter/dkimpy-milter.pid',
+    'UserID': 'dkimpy-milter',
+    'Canonicalization': 'relaxed/simple',
+    'InternalHosts': '127.0.0.1',
+    'IntHosts': False,
+    'DiagnosticDirectory': '',
+    'MacroList': '',
+    'MacroListVerify': '',
+    'DNSOverride': None,
+    'debugLevel': 0  # Undocumented config item for developer use
+    }


-#################################
 class ConfigException(Exception):
    '''Exception raised when there's a configuration file error.'''
    pass

-#################################
+
 class HostsDataset(object):
    '''Hold a group of host related dataset objects'''

@@ -85,34 +86,41 @@ class HostsDataset(object):
                self.negative = True
            try:
                self.item = ipaddress.ip_address(unicode(self.item, "utf-8"))
-                if isinstance(self.item, ipaddress.IPv4Address): self.isipv4 = True
-                elif isinstance(self.item, ipaddress.IPv6Address): self.isipv6 = True
+                if isinstance(self.item, ipaddress.IPv4Address):
+                    self.isipv4 = True
+                elif isinstance(self.item, ipaddress.IPv6Address):
+                    self.isipv6 = True
            except ValueError as e:
                try:
-                    self.item = ipaddress.ip_network(unicode(self.item, "utf-8"), strict=False)
-                    if isinstance(self.item, ipaddress.IPv4Network): self.isipv4cidr = True
-                    elif isinstance(self.item, ipaddress.IPv6Network): self.isipv6cidr = True
+                    self.item = ipaddress.ip_network(unicode
+                                                     (self.item, "utf-8"),
+                                                     strict=False)
+                    if isinstance(self.item, ipaddress.IPv4Network):
+                        self.isipv4cidr = True
+                    elif isinstance(self.item, ipaddress.IPv6Network):
+                        self.isipv6cidr = True
                except ValueError as e2:
                    if self.item[0] == '.' and len(self.item.split('.')) > 2:
                        self.isdomain = True
-                    elif len(self.item.split('.')) > 1: # It has a '.' in it
+                    elif len(self.item.split('.')) > 1:  # It has a '.' in it
                        self.ishostname = True
                    else:
-                        raise ConfigException('Unknown dataset item: {0}'.format(item))
+                        raise ConfigException('Unknown dataset item: {0}'
+                                              .format(item))

    def match(self, connectip):
        '''Check if the connect IP is part of the dataset'''
        source = ipaddress.ip_address(unicode(connectip, "utf-8"))
        for item in self.dataset:
            if item.isdomain or item.ishostname:
-                result = self.matchname(source) # Match host/domain names first
+                result = self.matchname(source)   # Match host/domains first
                if result:
                    return(result)
-            elif item.isipv4 or item.isipv4cidr:
-                if isinstance(source, ipaddress.IPv4Address): # Then IPv4/6 addresses
-                    return(self.match4(source))               # or networks depending
-            elif item.isipv6 or item.isipv6cidr:              # on the item type and
-                if isinstance(source, ipaddress.IPv6Address): # connection type
+            elif item.isipv4 or item.isipv4cidr:  # Then IPv4/6 addresses or
+                if isinstance(source, ipaddress.IPv4Address):  # networks
+                    return(self.match4(source))   # depending on the item type
+            elif item.isipv6 or item.isipv6cidr:  # and connect type
+                if isinstance(source, ipaddress.IPv6Address):
                    return(self.match6(source))

    def matchname(self, source):
@@ -126,7 +134,7 @@ class HostsDataset(object):
        for item in self.dataset:
            if item.isdomain:
                for ptr in ptrlist:
-                    # Strip the leading '.' off the domain name so exact match works.
+                    # Strip the leading '.' off the domain name for exact match
                    if item.item[1:] == ptr[-len(item.item)+1:]:
                        matchdomain = True
                        negativedomain = item.negative
@@ -211,21 +219,16 @@ class HostsDataset(object):
            match = False
        return(match)

-    def dump(self):
-        for item in self.dataset:
-            print 'name: {0} ip4: {1} cidr4: {2} ip6: {3} cidr6: {4} host: {5} domain: {6} negat: {7} type: {8}'.format(item.item,
-                    item.isipv4, item.isipv4cidr, item.isipv6, item.isipv6cidr, item.ishostname, item.isdomain,
-                    item.negative, type(item.item))

-####################################################################
-def _processConfigFile(filename = None, configdata = None, useSyslog = 1,
-        useStderr = 0):
+def _processConfigFile(filename=None, configdata=None, useSyslog=1,
+                       useStderr=0):
    '''Load the specified config file, exit and log errors if it fails,
    otherwise return a config dictionary.'''

    import config
-    if configdata == None: configdata = config.defaultConfigData
-    if filename != None:
+    if configdata is None:
+        configdata = config.defaultConfigData
+    if filename is not None:
        try:
            _readConfigFile(filename, configdata)
        except Exception, e:
@@ -237,7 +240,7 @@ def _processConfigFile(filename = None, configdata = None, useSyslog = 1,
            sys.exit(1)
    return(configdata)

-####################
+
 def _find_boolean(item):
    if type(item) == int:
        item = str(item)
@@ -248,14 +251,15 @@ def _find_boolean(item):
    else:
        raise dkim.ParameterError()
    return item
-####################
-def _calculate_authserv_id(as_id):
+
+
+def _make_authserv_id(as_id):
    """Determine AuthservID if needed"""
    if as_id == 'HOSTNAME':
        as_id = socket.gethostname()
    return as_id

-####################
+
 def _dataset_to_list(dataset):
    """Convert a dataset (as defined in dkimpymilter.8) and return a python
       list of values."""
@@ -291,78 +295,79 @@ def _dataset_to_list(dataset):
        else:
            return [dataset.strip().strip(',')]
        if dataset[-3:] == '.db' or dataset[:3] == 'db:':
-            # This is a Sleepycat (Oracle) DB  dataset
-            import whichdb # Will need rewriting someday for python3
-            if dataset[-3:] == '.db':
-                dbname = dataset
-            elif dataset[:3] == 'db:':
-                dbname = dataset[3:]
-            else:
-                raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
-            if whichdb.whichdb(dbname) != 'dbhash':
-                raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
-            #TODO replace this with code to use db maps
-            raise dkim.ParameterError('Unsupported dataset db dataset not yet used: {0}'.format(type(dataset)))
+            #  This is a Sleepycat (Oracle) DB  dataset, which we dont support
+            raise dkim.ParameterError('Unsupported dataset db datase: {0}'
+                                      .format(type(dataset)))

-    raise dkim.ParameterError('Unimplmented dataset type: {0}'.format(type(dataset)))
+    raise dkim.ParameterError('Unimplmented dataset type: {0}'
+                              .format(type(dataset)))

-###############################################################
-commentRx = re.compile(r'^(.*)#.*$')
-def _readConfigFile(path, configData = None, configGlobal = {}):
+
+def _readConfigFile(path, configData=None, configGlobal={}):
    '''Reads a configuration file from the specified path, merging it
    with the configuration data specified in configData.  Returns a
    dictionary of name/value pairs based on configData and the values
    read from path.'''

    debugLevel = configGlobal.get('debugLevel', 0)
-    if debugLevel >= 5: syslog.syslog('readConfigFile: Loading "%s"' % path)
-    if configData == None: configData = {}
+    if debugLevel >= 5:
+        syslog.syslog('readConfigFile: Loading "%s"' % path)
+    if configData is None:
+        configData = {}
    nameConversion = {
-        'AuthservID' : 'str',
-        'Syslog' : 'bool',
-        'SyslogFacility' : 'str',
-        'SyslogSuccess' : 'bool',
-        'UMask' : 'int',
-        'Mode' : 'str',
-        'Socket' : 'str',
-        'PidFile'  : 'str',
-        'UserID' : 'str',
-        'Domain' : 'dataset',
-        'KeyFile' : 'str',
-        'KeyFileEd25519' : 'str',
-        'Selector' : 'str',
+        'AuthservID': 'str',
+        'Syslog': 'bool',
+        'SyslogFacility': 'str',
+        'SyslogSuccess': 'bool',
+        'UMask': 'int',
+        'Mode': 'str',
+        'Socket': 'str',
+        'PidFile': 'str',
+        'UserID': 'str',
+        'Domain': 'dataset',
+        'KeyFile': 'str',
+        'KeyFileEd25519': 'str',
+        'Selector': 'str',
        'SelectorEd25519': 'str',
-        'Canonicalization' : 'str',
-        'InternalHosts' : 'dataset',
-        'InternalHostsObj': 'bool',
-        'DiagnosticDirectory' : 'str'
-            }
+        'Canonicalization': 'str',
+        'InternalHosts': 'dataset',
+        'IntHosts': 'bool',
+        'DiagnosticDirectory': 'str',
+        'MacroList': 'dataset',
+        'MacroListVerify': 'dataset',
+        'DNSOverride': 'str',
+        'debugLevel': 'int'
+        }

    #  check to see if it's a file
    try:
        mode = os.stat(path)[0]
    except OSError, e:
-        syslog.syslog(syslog.LOG_ERR,'ERROR stating "%s": %s' % ( path, e.strerror ))
+        syslog.syslog(syslog.LOG_ERR, 'ERROR stating "%s": %s'
+                      % (path, e.strerror))
        return(configData)
    if not stat.S_ISREG(mode):
-        syslog.syslog(syslog.LOG_ERR,'ERROR: is not a file: "%s", mode=%s' % ( path, oct(mode) ))
+        syslog.syslog(syslog.LOG_ERR, 'ERROR: is not a file: "%s", mode=%s'
+                      % (path, oct(mode)))
        return(configData)

    #  load file
    fp = open(path, 'r')
    while 1:
        line = fp.readline()
-        if not line: break
+        if not line:
+            break

        #  parse line
        line = line.split('#', 1)[0].strip()
-        if not line: continue
+        if not line:
+            continue
        data = line.split()
        if len(data) != 2:
            if len(data) == 1:
                if debugLevel >= 1:
-                    syslog.syslog('Configuration item "%s" not defined in file "%s"'
-                        % ( line, path ))
+                    syslog.syslog('Config item "%s" not defined in file "%s"'
+                                  % (line, path))
        if len(data) == 1:
            name = data
            value = ''
@@ -374,27 +379,33 @@ def _readConfigFile(path, configData = None, configGlobal = {}):

        #  check validity of name
        conversion = nameConversion.get(name)
-        if conversion == None:
-            syslog.syslog('ERROR: Unknown name "%s" in file "%s"' % ( name, path ))
+        if conversion is None:
+            syslog.syslog('ERROR: Unknown name "%s" in file "%s"'
+                          % (name, path))
            continue

-        if debugLevel >= 5: syslog.syslog('readConfigFile: Found entry "%s=%s"'
-                % ( name, value ))
+        if debugLevel >= 5:
+            syslog.syslog('readConfigFile: Found entry "%s=%s"'
+                          % (name, value))
        if conversion == 'bool':
            configData[name] = _find_boolean(value)
        elif conversion == 'str':
-            configData[name] = str(value)
+            if isinstance(value, list):
+                configData[name] = line.split(None, 1)[1]
+            else:
+                configData[name] = str(value)
        elif conversion == 'int':
            configData[name] = int(value)
        elif conversion == 'dataset':
            configData[name] = _dataset_to_list(value)
        else:
-            syslog.syslog(str('name: ' + name + ' value: ' + value + ' conversion: ' + conversion))
+            syslog.syslog(str('name: ' + name + ' value: ' + value +
+                              ' conversion: ' + conversion))
            configData[name] = conversion(value)
    fp.close()
    try:
-        configData['AuthservID'] = _calculate_authserv_id(configData['AuthservID'])
-        configData['InternalHostsObj'] = HostsDataset(configData['InternalHosts'])
+        configData['AuthservID'] = _make_authserv_id(configData.get('AuthservID', 'HOSTNAME'))
+        configData['IntHosts'] = HostsDataset(configData['InternalHosts'])
    except:
        pass

@@ -16,6 +16,7 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+
 def fold(header):
    """Fold a header line into multiple crlf-separated lines at column 72.
    Borrowed from dkimpy and updated to only add \n instead of \r\n because
@@ -46,9 +47,9 @@ def fold(header):
            j = i + 1
        pre += header[:j] + b"\n   "
        header = header[j:]
-        namelen = 0
    return pre + header

+
 def user_group(userid):
    """Return user and group from UserID"""
    import grp
@@ -64,13 +65,14 @@ def user_group(userid):
    running_gid = grp.getgrnam(gidname).gr_gid
    return running_uid, running_gid

+
 def drop_privileges(milterconfig):
    import os
    import syslog

    if os.getuid() != 0:
        if milterconfig.get('Syslog'):
-            syslog.syslog('drop_privileges: Not running as root. Cannot drop permissions.')
+            syslog.syslog('drop_privileges: Not root. No action taken.')
        return

    # Get user and group
@@ -86,9 +88,9 @@ def drop_privileges(milterconfig):
    # Set umask
    old_umask = os.umask(milterconfig.get('UMask'))

-#################
+
 class ExceptHook:
-    def __init__(self, useSyslog = 1, useStderr = 0):
+    def __init__(self, useSyslog=1, useStderr=0):
        self.useSyslog = useSyslog
        self.useStderr = useStderr

@@ -104,12 +106,11 @@ class ExceptHook:
                sys.stderr.write(line)


-####################
 def setExceptHook():
    import sys
-    sys.excepthook = ExceptHook(useSyslog = 1, useStderr = 1)
+    sys.excepthook = ExceptHook(useSyslog=1, useStderr=1)
+

-####################
 def write_pid(milterconfig):
    """Write PID in pidfile.  Will not overwrite an existing file."""
    import os
@@ -126,10 +127,11 @@ def write_pid(milterconfig):
                os.chown(piddir, user, group)
                f = open(milterconfig.get('PidFile'), 'w')
                if milterconfig.get('Syslog'):
-                    syslog.syslog('Missing pid dir created: {0}'.format(piddir))
+                    syslog.syslog('PID dir created: {0}'.format(piddir))
            else:
                if milterconfig.get('Syslog'):
-                    syslog.syslog('Unable to write pidfle {0}.  IOError: {1}'.format(milterconfig.get('PidFile'), e))
+                    syslog.syslog('Unable to write pidfle {0}.  IOError: {1}'
+                                  .format(milterconfig.get('PidFile'), e))
                raise
        f.write(pid)
        f.close()
@@ -137,20 +139,31 @@ def write_pid(milterconfig):
        os.chown(milterconfig.get('PidFile'), user, group)
    else:
        if milterconfig.get('Syslog'):
-            syslog.syslog('Unable to write pidfle {0}.  File exists.'.format(milterconfig.get('PidFile')))
-        raise RuntimeError('Unable to write pidfle {0}.  File exists.'.format(milterconfig.get('PidFile')))
+            syslog.syslog('Unable to write pidfle {0}.  File exists.'
+                          .format(milterconfig.get('PidFile')))
+        raise RuntimeError('Unable to write pidfle {0}.  File exists.'
+                           .format(milterconfig.get('PidFile')))
    return pid

+
 def own_socketfile(milterconfig):
    """If socket is Unix socket, chown to UserID before dropping privileges"""
    import os
    user, group = user_group(milterconfig.get('UserID'))
-    if milterconfig.get('Socket')[:1] == '/':
-        os.chown(milterconfig.get('Socket')[1:], user, group)
-    if milterconfig.get('Socket')[:6] == "local:":
-        os.chown(milterconfig.get('Socket')[6:], user, group)
+    offset = None
+    sockname = milterconfig.get('Socket')
+    if sockname[:1] == '/':
+        offset = 0
+    elif sockname[:6] == "local:":
+        offset = 6
+    elif sockname[:5] == "unix:":
+        offset = 5
+
+    if offset is not None:
+        if os.path.exists(sockname[offset:]):
+            os.chown(sockname[offset:], user, group)
+

-####################
 def read_keyfile(milterconfig, keytype):
    """Read private key from file."""
    import syslog
@@ -163,7 +176,8 @@ def read_keyfile(milterconfig, keytype):
        keylist = f.readlines()
    except IOError as e:
        if milterconfig.get('Syslog'):
-            syslog.syslog('Unable to read keyfile {0}.  IOError: {1}'.format(keyfile, e))
+            syslog.syslog('Unable to read keyfile {0}.  IOError: {1}'
+                          .format(keyfile, e))
        raise
    f.close()
    key = ''
@@ -127,7 +127,6 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "dkimpy-milter 8"
 .TH dkimpyy-milter 8
 .SH NAME
 .B dkimpy
@@ -269,7 +268,7 @@ proposal, and Cisco's
 .B Internet Identified Mail
 (IIM) proposal.
 .SH VERSION
-This man page covers version 0.9.4 of
+This man page covers version 1.1.0 of
 .I dkimpy-milter.
 .SH COPYRIGHT
 Copyright (c) 2005-2008, Sendmail, Inc. and its suppliers.  All rights
@@ -278,7 +277,7 @@ reserved.
 Copyright (c) 2009-2013, 2015, The Trusted Domain Project.
 All rights reserved.

-Copyright (c) 2018 Scott Kitterman <scott@kitterman.com>
+Copyright (c) 2018, 2019 Scott Kitterman <scott@kitterman.com>
 .SH SEE ALSO
 .I dkimpy-milter.conf(5), sendmail(8)
 .P
@@ -292,4 +291,6 @@ RFC6376 - DomainKeys Identified Mail
 .P
 RFC7601 - Message Header Field for Indicating Message Authentication Status
 .P
-draft-ietf-dcrup-dkim-crypto - A new cryptographic signature method for DKIM
+RFC8301 - Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM)
+.P
+RFC8463 - A New Cryptographic Signature Method for DomainKeys Identified Mail (DKIM)
@@ -127,16 +127,13 @@
 .rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
-.IX Title "dkimpy-milter.conf 5"
 .TH dkimpy-milter.conf 5 "2018-02-12"
 .SH "NAME"
 dkimpy-milter \- Python milter for DKIM signing and validation
 .SH "VERSION"
-.IX Header "VERSION"
 0\.9\.2

 .SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
 .I dkimpy-milter(8)
 implements the
 .B DKIM
@@ -160,18 +157,15 @@ The provided setup.py installs this configuration file in /etc or
 Command line invocation of parameters as is done by OpenDKIM is not supported.

 .SH "USAGE"
-.IX Header "USAGE"
 Usage:
  dkimpy-milter [/etc/dkimpy-milter.conf]

 .SH "OTHER DOCUMENTATION"
-.IX Header "OTHER DOCUMENTATION"
 This documentation assumes you have read Postfix's README_FILES/MILTER_README
 (or Sendmail equivalent) and are generally familiar with Domain Keys Identified
 Mail (DKIM).  See RFC 6376 for details.

 .SH "SYNOPSIS"
-.IX Header "SYNOPSIS"

 dkimpy-milter operates with a default installed configuration file and 
 set of default configuration options that are used if the configuration file
@@ -181,14 +175,12 @@ files can be used directly.  Not all OpenDKIM options are supported.  If an
 unsupported option from OpenDKIM is specified, an error will be raised.

 .SH "DESCRIPTION"
-.IX Header "DESCRIPTION"

 Configuration options are described here and in the configuration file 
 provided with the package.  The provided setup.py installs this configuration 
 file in /etc or /usr/local/etc.

 .SH "OPTIONS"
-.IX Header "OPTIONS"

 .TP
 .I AuthservID (string)
@@ -255,13 +247,50 @@ all messages.  Ignored if a
 is defined. [KeyTable NOT IMPLEMENTED]

 .TP
-.I KeyFileEd25119 (string)
+.I KeyFileEd25519 (string)
 Gives the location of a Ed25519 private key to be used for Ed25519 signing
 all messages.  File is the Base64 encoded output of RFC 8032 Ed25519 private Key
 generation (as used in dkimpy).  Ignored if a 
 .I KeyTableEd25519
 is defined.  [KeyTableEd25519 NOT IMPLEMENTED]

+.TP
+.I MacroList (dataset)
+Defines a set of MTA-provided
+.I macros
+that should be checked to see if the sender has been determined to be a
+local user and therefore whether or not the message should be signed.  If
+a
+.I value
+is specified matching a macro name in the data set, the value of the macro
+must match a value specified (matching is case-sensitive), otherwise the
+macro must be defined but may contain any value.  The set is empty by
+default, meaning macros are not considered when making the sign-verify
+decision.  The general format of the value is
+.I value1[|value2[|...]];
+if one or more value is defined then the macro must be set to one of the
+listed values, otherwise the macro must be set but can contain any
+value.
+
+In order for the macro and its value to be available to the filter for
+checking, the MTA must send it during the protocol exchange.  This is either
+accomplished via manual configuration of the MTA to send the desired macros
+or, for MTA/filter combinations that support the feature, the filter can
+request those macros that are of interest.  The latter is a feature negotiated
+at the time the filter receives a connection from the MTA and its availability
+depends upon the version of milter used to compile the filter and the version
+of the MTA making the connection.
+
+.TP
+.I MacroListVerify (dataset)
+Defines a set of MTA-provided
+.I macros
+that should be checked to see if the sender has been determined to be an
+external source and therefore whether or not the message should be signed.
+Entries in this data set follow the same form as those of the
+.I MacroList
+option above.  [this option is not inhereted from OpenDKIM]  
+
 .TP
 .I Mode (string)
 Selects operating modes.  The string is a concatenation of characters that
@@ -282,6 +311,13 @@ be set:
 (b) KeyTable, SigningTable, no Domain, no KeyFile, no Selector;
 [fooTable options NOT IMPLEMENTED]

+.TP 
+.I DNSOverride (string)
+Provide a text string that a verifying milter should use instead of
+consulting the DNS on each message.  This is useful primarily for
+testing purposes in environments where it is awkward to modify the
+system DNS resolution.  It should not be used in production.
+
 .TP
 .I PeerList (dataset)
 Identifies a set of "peers" that identifies clients whose connections
@@ -404,7 +440,6 @@ unless an alternate
 is specified.

 .SH "AUTHORS"
-.IX Header "AUTHORS"
 \ddkimpy-milter\fR was written by Scott Kitterman <scott@kitterman.com>.
 It is based on dkimpy-milter.py  Copyright (c) 2001-2013 Business Management Systems, Inc.
 Copyright (c) 2013-2015 Stuart D. Gathman
@@ -18,20 +18,26 @@

 from setuptools import setup
 import os
-import dkimpy_milter

 description = "Domain Keys Identified Mail (DKIM) signing/verifying milter for Postfix/Sendmail."

+kw = {}  # Work-around for lack of 'or' requires in setuptools.
+try:
+    import dns
+    kw['install_requires'] = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'ipaddress', 'dnspython']
+except ImportError:  # If PyDNS is not installed, prefer dnspython
+    kw['install_requires'] = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'ipaddress', 'PyDNS']
+
 setup(
    name='dkimpy-milter',
-    version=dkimpy_milter.__version__,
+    version='1.0.1',
    author='Scott Kitterman',
    author_email='scott@kitterman.com',
    url='https://launchpad.net/dkimpy-milter',
    description=description,
    download_url = "https://pypi.python.org/pypi/dkimpy-milter",
    classifiers= [
-        'Development Status :: 3 - Alpha',
+        'Development Status :: 5 - Production/Stable',
        'Environment :: No Input/Output (Daemon)',
        'Intended Audience :: System Administrators',
        'License :: OSI Approved :: GNU General Public License (GPL)',
@@ -52,9 +58,9 @@ setup(
    data_files=[(os.path.join('share', 'man', 'man5'),
        ['man/dkimpy-milter.conf.5']), (os.path.join('share', 'man', 'man8'),
        ['man/dkimpy-milter.8']), ('etc', ['etc/dkimpy-milter.conf']),
-        (os.path.join('/lib', 'systemd', 'system'),
-        ['system/dkimpy-milter.service']),(os.path.join('/etc', 'init.d'),
+        (os.path.join('lib', 'systemd', 'system'),
+        ['system/dkimpy-milter.service']),(os.path.join('etc', 'init.d'),
        ['system/dkimpy-milter'])],
-    install_requires = ['dkimpy>=0.7', 'pymilter', 'authres>=1.1.0', 'PyNaCl', 'ipaddress', 'dns'],
    zip_safe = False,
+    **kw
 )
@@ -13,8 +13,6 @@
 # Provides:          dkim-milter dkim-milter-python dkimpy-milter
 # Required-Start:    $remote_fs $syslog $network $time
 # Required-Stop:     $remote_fs $syslog $network
-# Should-Start:
-# Should-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: dkimpy-milter
@@ -31,7 +29,7 @@ NAME=dkimpy-milter
 DESC="Python DKIM Milter"
 USER=dkimpy-milter
 GROUP=dkimpy-milter
-SOCKET=$RUNDIR/dkimpy-milter.pid
+SOCKET=$RUNDIR/dkimpy-milter.sock

 test -x $DAEMON || exit 0

@@ -70,8 +68,8 @@ case "$1" in
 		fi
 	fi

-	start-stop-daemon --start --chuid $USER --background --quiet --pidfile \
-		$RUNDIR/$NAME.pid --exec $DAEMON $sysconfdir/$NAME.conf
+        start-stop-daemon --start --quiet --pidfile $RUNDIR/$NAME.pid --startas \
+                $DAEMON $sysconfdir/$NAME.conf --name $NAME --test > /dev/null \
 	echo "$NAME."
 	;;
  stop)
@@ -1,11 +1,12 @@
 [Unit]
 Description=DKIMpy Milter
-After=syslog.target network.target
+Documentation=man:dkimpy-milter(8) man:dkimpy-milter.conf(5) 
+After=network.target

 [Service]
 Type=simple
 PIDFile=/var/run/dkimpy-milter/dkimpy-milter.pid
-ExecStart=/usr/local/bin/dkimpy-milter 
+ExecStart=/usr/local/bin/dkimpy-milter /usr/local/etc/dkimpy-milter.conf 

 [Install]
 WantedBy=multi-user.target
@@ -0,0 +1,12 @@
+-- -*- lua -*-
+for _, keytype in ipairs({"ed25519", "rsa"}) do
+   for _, func in ipairs({"signing", "verify"}) do
+      mt.echo("testing "..keytype.." "..func)
+      conn = mt.connect("unix:"..keytype.."."..func..".sock")
+      if conn == nil then
+         error("mt.connect() failed "..keytype.." "..func)
+      end
+      mt.disconnect(conn)
+      mt.echo(keytype.." "..func.." complete")
+   end
+end
@@ -0,0 +1,40 @@
+-- -*- lua -*-
+for _, keytype in ipairs({"ed25519", "rsa"}) do
+   for _, func in ipairs({"signing", "verify"}) do
+      mt.echo("testing "..keytype.." "..func)
+      conn = mt.connect("unix:"..keytype.."."..func..".sock")
+      if conn == nil then
+         error("mt.connect() failed "..keytype.." "..func)
+      end
+      if mt.conninfo(conn, "localhost", "127.0.0.1") ~= nil then
+         error("mt.conninfo() failed "..keytype.." "..func)
+      end
+      if mt.getreply(conn) ~= SMFIR_CONTINUE then
+         error("mt.conninfo() unexpected reply "..keytype.." "..func)
+      end
+
+      if mt.test_action(conn, SMFIF_ADDHDRS) then
+         print("could add headers "..keytype.." "..func)
+      else
+         error("mt.test_action() says could not add headers "..keytype.." "..func)
+      end
+
+      if mt.test_action(conn, SMFIF_CHGHDRS) then
+         print("could change headers "..keytype.." "..func)
+      else
+         error("mt.test_action() says could not change headers "..keytype.." "..func)
+      end
+
+-- -- FIXME: this part of the test fails, as apparently the
+-- -- dkimpy-milter claims the right to change the body of a message,
+-- -- even though it shouldn't.  How can we fix the negotiation?
+--      if mt.test_action(conn, SMFIF_CHGBODY) then
+--         error("mt.test_action() says could change body "..keytype.." "..func)
+--      else
+--         print("could not change body "..keytype.." "..func)
+--      end
+
+      mt.disconnect(conn)
+      mt.echo(keytype.." "..func.." test complete")
+   end
+end
@@ -0,0 +1,100 @@
+-- -*- lua -*-
+
+msg = {
+   ['headers'] = {
+      ['From'] = 'Alice <alice@example.net>',
+      ['Message-Id'] = '<dkimpy-milter-test-02@example.net>',
+      ['To'] = 'Bob <bob@example.biz>',
+      ['Date'] = 'Mon, 18 Feb 2019 08:32:50 -0500',
+      ['Subject'] = 'Signing test',
+      ['Content-Type'] = 'text/plain',
+   },
+   ['body'] = "This is a test!\r\n",
+}
+
+-- returns miltertest connection object
+function connect_and_send (sockname, headers, body)
+   conn = mt.connect(sockname)
+   if conn == nil then
+      error "mt.connect() failed"
+   end
+   if mt.conninfo(conn, "localhost", "127.0.0.1") ~= nil then
+      error "mt.conninfo() failed"
+   end
+   if mt.getreply(conn) ~= SMFIR_CONTINUE then
+      error "mt.conninfo() unexpected reply"
+   end
+
+   -- mt.macro(conn, SMFIC_MAIL, "i", "simple-message")
+   if mt.mailfrom(conn, "<alice@example.net>") ~= nil then
+      error "mt.mailfrom() failed"
+   end
+   if mt.getreply(conn) ~= SMFIR_CONTINUE then
+      error "mt.mailfrom() unexpected reply"
+   end
+   -- mt.rcptto() is called implicitly
+
+   -- send headers
+   for key,value in pairs(headers) do
+      if mt.header(conn, key, value) ~= nil then
+         error("mt.header(" .. key .. ") failed")
+      end
+      if mt.getreply(conn) ~= SMFIR_CONTINUE then
+         error("mt.header(" .. key .. ") unexpected reply")
+      end
+   end
+   -- send EOH
+   if mt.eoh(conn) ~= nil then
+      error "mt.eoh() failed"
+   end
+   if mt.getreply(conn) ~= SMFIR_CONTINUE then
+      error "mt.eoh() unexpected reply"
+   end
+
+   -- send body
+   if mt.bodystring(conn, body) ~= nil then
+      error "mt.bodystring() failed"
+   end
+   if mt.getreply(conn) ~= SMFIR_CONTINUE then
+      error "mt.bodystring() unexpected reply"
+   end
+   -- end of message; let the filter react
+   if mt.eom(conn) ~= nil then
+      error "mt.eom() failed"
+   end
+   reply = mt.getreply(conn)
+   if reply ~= SMFIR_CONTINUE then
+      error ("mt.eom() unexpected reply: " .. reply)
+   end
+   return conn
+end
+
+for _, keytype in ipairs({"ed25519", "rsa"}) do
+   mt.echo("testing "..keytype)
+   signing = connect_and_send("unix:"..keytype..".signing.sock", msg.headers, msg.body)
+   -- verify that a test header field got added
+   if not mt.eom_check(signing, MT_HDRINSERT) then
+      error "no header added by signer"
+   end
+
+   signature = mt.getheader(signing, "DKIM-Signature", 0)
+
+   mt.disconnect(signing)
+
+   mt.echo("DKIM-Signature: " .. signature)
+
+   msg.headers['DKIM-Signature'] = signature
+
+   verify = connect_and_send("unix:"..keytype..".verify.sock", msg.headers, msg.body)
+
+   if not mt.eom_check(verify, MT_HDRINSERT) then
+      error "no header added in verify"
+   end
+
+   authres = mt.getheader(verify, "Authentication-Results", 0)
+   mt.echo("Authentication-Results: "..authres)
+
+   mt.disconnect(verify)
+
+   mt.echo(keytype.." complete")
+end
@@ -0,0 +1,2 @@
+#!/bin/sh
+python2 -m dkimpy_milter "$@"
@@ -0,0 +1,84 @@
+#!/bin/bash
+
+set -e
+WORKDIR=$(mktemp -d)
+TESTDIR=$(realpath "$(dirname "$0")")
+DKIMPY_MILTER=${DKIMPY_MILTER:-"$TESTDIR/dkimpy-milter"}
+KEY_TYPES=(ed25519 rsa)
+
+cd "$WORKDIR"
+
+printf "Testing %s from directory %s\n" "$DKIMPY_MILTER" "$WORKDIR"
+
+for keytype in "${KEY_TYPES[@]}"; do
+    dknewkey --ktype "$keytype" "testkey.$keytype"
+    if [ "$keytype" = ed25519 ]; then
+        keyfile=KeyFileEd25519
+        selector=SelectorEd25519
+    else
+        keyfile=KeyFile
+        selector=Selector
+    fi
+    cat > "$keytype.signing.conf" <<EOF
+Domain example.net
+$keyfile testkey.$keytype.key
+$selector testkey
+Socket unix:$keytype.signing.sock
+PidFile $keytype.signing.pid
+Mode s
+UserID $(id --name --user):$(id --name --group)
+EOF
+
+    cat > "$keytype.verify.conf" <<EOF
+Socket unix:$keytype.verify.sock
+PidFile $keytype.verify.pid
+Mode v
+DNSOverride $(cat testkey.$keytype.dns)
+UserID $(id --name --user):$(id --name --group)
+EOF
+done
+
+cleanup() {
+    echo cleaning up jobs:
+    jobs
+    for keytype in "${KEY_TYPES[@]}"; do
+        for func in signing verify; do
+            if [ -s "$keytype.$func.pid" ] && kill -0 "$(cat "$keytype.$func.pid")"; then
+                kill "$(cat $keytype.$func.pid)"
+            fi
+        done
+    done
+    wait
+    for keytype in "${KEY_TYPES[@]}"; do
+        for func in signing verify; do
+            errdata="$keytype.$func.stderr"
+            if [ -s "$errdata" ]; then
+                printf -- "-> %s:\n" "$errdata"
+                cat "$errdata"
+                printf -- "-> end %s\n" "$errdata"
+            fi
+        done
+    done
+    rm -rf "$WORKDIR"
+}
+
+for keytype in "${KEY_TYPES[@]}"; do
+    for func in signing verify; do
+        PYTHONPATH="$(dirname "$TESTDIR")" "$DKIMPY_MILTER" "$keytype.$func.conf" 2>"$keytype.$func.stderr" &
+    done
+done
+trap cleanup EXIT
+
+# ugly ugly (how are we supposed to know that the milters are all ready?):
+sleep 2
+
+# uses miltertest from opendkim:
+for x in ${TESTS:-"$TESTDIR"/*.miltertest}; do
+    if ! [ -e "$x" ]; then
+        if [ -e "$TESTDIR/$x" ]; then
+            x="$TESTDIR/$x"
+        fi
+    fi
+    printf -- "-> running %s...\n" "$x"
+    miltertest -s "$x"
+done
Author	SHA1	Message	Date
Daniel Kahn Gillmor	ad8f396db0	Expand test suite to cover RSA as well as ed25519	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	479820a07d	tests: test DKIM signing and verification This test makes use of DNSOverride and the new verifying milter to ensure that signatures can be verified properly. It doesn't test the actual interaction with the public DNS, but getting that kind of test to work on arbitrary platforms might be more trouble than it's worth. I note that the DNSOverride only works as long as testkey.dns is a single line, which is fine for ed25519, but maybe not for RSA.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	7bfb87fab7	Set up __main__.py, use it in tests This allows us to invoke dkimpy-milter as "python -m dkimpy_milter dkimpy-milter.conf", which makes running the test suite easier.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	5c1d5d6e52	tests: Run a verifying milter as well as a signing milter Having a verifying milter will come in handy when we want to test both sides of the DKIM process.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	ae31730593	check for actions claimed by the filter	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	72ed000ccf	simple testing framework	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	b3db013754	config: Reassemble strings sensibly If a string-based configuation entry had whitespace in it, it would be reassembled via a round-trip through the python interpreter, resulting in a line like this: PidFile /home/dkimpy-milter/pid file produces a string like "['/home/dkimpy-milter/pid', 'file']", which is clearly wrong. I don't want to encourage people to use paths or other strings with whitespace in them, but if we're going to fail on them we should be failing explicitly, not doing a weird transformation that will just break. This is concretely useful for the DNSOverride mechanism, which is where i ran into the problem when trying to set up testing that could work without setting up an emulated DNS system.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	bd1d25d83e	Set up correct AuthservID defaults Without this fix, a verifying dkimpy-milter that has no explicit AuthservID produces the following crashing behavior as it tries to create the authres header: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 772, in <lambda> milter.set_eom_callback(lambda ctx: ctx.getpriv().eom()) File "…/dkimpy_milter/__init__.py", line 199, in eom h = fold(str(h)) File "/usr/lib/python2.7/dist-packages/authres/core.py", line 476, in __str__ return ''.join((self.HEADER_FIELD_NAME, ': ', self.header_value())) File "/usr/lib/python2.7/dist-packages/authres/core.py", line 496, in header_value return ''.join(strs)	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	1c6030024d	add DNSOverride configuration for testing	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	71c0c3f20a	Avoid failing to chown non-existent Unix-domain sockets Changing ownership of sockets that doesn't exist isn't a great practice. A better approach would be to apply os.chown() to the file descriptor of the open socket, but at the very least dkimpy-milter shouldn't crash the way it currently does if the socket isn't already present.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	a9a6893c89	Handle unix: socket prefix the same as local: sendmail's milter.c treats these two declarations the same way, so what we do for one should also be done for the other.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	bb44f36519	When Socket is absolute path, do not strip leading / This appears to just be an untested codepath.	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	9e11b75ec3	Avoid AttributeError on simple connection and disconnection Without this patch, this simple script for miltertest: ---- conn = mt.connect("unix:milter.sock") if conn == nil then error "mt.connect() failed" end if mt.conninfo(conn, nil, "unspec") ~= nil then error "mt.conninfo() failed" end if mt.getreply(conn) ~= SMFIR_CONTINUE then error "mt.conninfo() unexpected reply" end mt.disconnect(conn) ---- Produces the following error: Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 702, in connect_callback return m.connect(hostname,family,hostaddr) File "/usr/lib/python2.7/dist-packages/Milter/__init__.py", line 173, in wrapper rc = func(self,*args) File "/home/dkg/src/dkimpy-milter/dkimpy-milter/dkimpy_milter/__init__.py", line 64, in connect self.receiver = self.getsymval('j').strip() AttributeError: 'NoneType' object has no attribute 'strip'	2019-02-21 19:21:38 -05:00
Daniel Kahn Gillmor	f60ea12e86	Prefer dnspython over PyDNS in setup.py README and dkimpy_milter/dnsplug.py both prefer dnspython if available, over PyDNS. setup.py should order the preferences in the same way.	2019-02-21 19:21:36 -05:00
Daniel Kahn Gillmor	e872bd44b0	ignore emacs turds	2019-02-19 18:03:54 -05:00
Scott Kitterman	51c8fdcb6c	Bump version to 1.0.1, update TODO, set release date	2019-02-11 15:14:11 -05:00
Scott Kitterman	aa4dadc22f	* Reorder milter start and dropping privileges so permissions on Unix socket are correct (LP: 1797720)	2019-02-11 15:09:34 -05:00
Scott Kitterman	b1abbf9d61	- Make domain checks case insensitive for determining if signing should be done (LP: #1815311)	2019-02-11 14:55:35 -05:00
Scott Kitterman	ea2b612e8d	- Add information on Ed25519 key creation to README (LP: #1815313 )	2019-02-11 14:23:55 -05:00
Scott Kitterman	5945e818ca	- Add additional Sendmail configuration information to README from OpenDKIM update based on input from Дилян Палаузов (LP: #1801619)	2019-02-11 13:32:37 -05:00
Scott Kitterman	f38fed3bee	Rip out unused whichbd module in preparation for python3 port	2019-02-11 03:16:53 -05:00
Scott Kitterman	06948b3dbc	Update references in man/dkimpy-milter.8	2019-02-09 22:20:01 -05:00
Scott Kitterman	e951ab6c5e	Remove obsolete .IX macro from man pages Conflicts: man/dkimpy-milter.conf.5	2019-02-09 22:19:41 -05:00
Scott Kitterman	03c86a2b08	Fix grammar error in README	2019-02-09 22:18:11 -05:00
Scott Kitterman	2cda1758c1	Fix spelling error in README	2019-02-09 22:17:53 -05:00
Scott Kitterman	a188bd3960	Deleted reference to obsolete syslog target in unit file	2018-05-11 14:31:15 -04:00
Scott Kitterman	c91a12f0d1	Documentation updates for 1.0.0 release	2018-05-11 14:29:15 -04:00
Scott Kitterman	286ffbb6c9	Add release date for 0.9.7 to CHANGES	2018-03-19 01:07:52 -04:00
Scott Kitterman	ec3252c367	- Minor sysv init improvments	2018-03-15 23:59:03 -04:00
Scott Kitterman	a2ff03727d	- Put version directly in setup.py and do not import dkimpy_milter to ease install via pip	2018-03-15 23:44:31 -04:00
Scott Kitterman	af4b05e242	- Add missing documentation key to system/dkimpy-milter.service	2018-03-15 20:49:35 -04:00
Scott Kitterman	6509eaad35	- Made sysv init executable	2018-03-15 20:44:16 -04:00
Scott Kitterman	f9483fea8c	- Added protection for malformed From addresses. If the From does not at least have an '@' in the address, then the signing domain is not extracted and the message will not be signed	2018-03-15 20:42:49 -04:00
Scott Kitterman	7a3a7bfb43	Bump version to 0.9.6	2018-03-12 22:08:07 -04:00
Scott Kitterman	8a0e1bdd97	- Fixed typo in path for fallback location of the config file if one is not provided	2018-03-12 22:03:45 -04:00
Scott Kitterman	e3005aa723	Move OversignHeaders up earlier on TODO.	2018-03-12 22:03:36 -04:00
Scott Kitterman	45d3ba13ca	Added more to README about first run with systemd	2018-03-11 00:42:22 -05:00
Scott Kitterman	f05309437f	Fix merge conflict	2018-03-11 00:28:08 -05:00
Scott Kitterman	d4499f6990	Fixed typo in package installation section of README	2018-03-11 00:27:19 -05:00
Scott Kitterman	7d87309f4b	Fixed typo in package installation section of README	2018-03-11 00:24:39 -05:00
Scott Kitterman	1d8c309da9	Fix setup.py install locations so they are installed correctly and drop unneeded README changes.	2018-03-10 20:06:21 -05:00
Scott Kitterman	4d5961e4d5	Bump version	2018-03-10 19:52:29 -05:00
Scott Kitterman	59448e8e57	- Add information to README about manually putting init scripts in the right locations	2018-03-10 19:51:29 -05:00
Scott Kitterman	695de0db14	- Add conf file location to systemd unit file	2018-03-10 19:43:37 -05:00
Scott Kitterman	dfd6fa68c3	Changelog: release 0.9.5 (Beta 1)	2018-03-10 19:06:55 -05:00
Scott Kitterman	86eb152f93	Enhanced signature verification logging to provide more useful information, added signing success logging, and more PEP 8	2018-03-10 19:02:37 -05:00
Scott Kitterman	126966e110	- Update Authentication Results result comment not to mention key size for ed25519 signatures, since it's irrelevant	2018-03-10 18:18:01 -05:00
Scott Kitterman	5d8d47cd52	- Fixed install_requires so either dnspython (preferred if neither is installed) or PyDNS satisfies the install requirements	2018-03-10 17:49:22 -05:00
Scott Kitterman	1843ca6244	- Added support for SyslogSuccess option - Rationalized logging to be much less verbose unless SyslogSuccess or debugLevel are set - default is generally start/stop/errors only	2018-03-10 16:06:22 -05:00
Scott Kitterman	f9358d594c	Delete unused import	2018-03-10 15:36:40 -05:00
Scott Kitterman	a8aa422b03	Post pep-8 cleanup	2018-03-10 15:34:56 -05:00
Scott Kitterman	9836f2c9c2	Update TODO	2018-03-10 03:00:59 -05:00
Scott Kitterman	70606ac58c	pep8 and a few other cleanups	2018-03-10 02:45:35 -05:00
Scott Kitterman	6348bdcdc7	Cleanup, indentation, pyflakes	2018-03-10 00:52:45 -05:00
Scott Kitterman	fd39384e78	Fix for DiagnosticDirectory	2018-03-09 23:49:57 -05:00
Scott Kitterman	924c96d555	- Added example in README to show use of MacroList* to separate inbound and outbound mail streams	2018-03-09 22:50:07 -05:00
Scott Kitterman	efeabd19d3	Added support for MacroListVerify option	2018-03-09 22:39:55 -05:00
Scott Kitterman	a9b8a44bfc	Add support for MacroList option	2018-03-09 21:53:58 -05:00
Scott Kitterman	daaa6aada7	Fix option name typo in man/dkimpy-milter.conf.5	2018-03-09 20:45:57 -05:00
Scott Kitterman	e795db7c69	Start 0.9.5: Beta 1 (updated Alpha -> Beta warning in README and trove classifiers)	2018-03-09 18:08:42 -05:00